Detecting Identity-Based Threats with the AlienApp for Okta

Get the latest security news in your inbox.

USM Anywhere is one of the few truly cloud-native security monitoring solutions built to centrally monitor both cloud and on-premises environments. Many cloud-savvy organizations that rely on USM Anywhere to monitor their Amazon Web Services and Microsoft Azure environments also use Okta as their identity and access management solution. Today, we introduced a new AlienApp for Okta that enables you to monitor user activities and detect threats against your Okta account directly from USM Anywhere.

Okta is an enterprise-class identity management service that features provisioning, single sign-on (SSO), Active Directory (AD) and LDAP integration, multifactor authentication (MFA), mobile identity management, and more for cloud and on-premises applications. Recognized by Gartner Inc. as a leader in the “Magic Quadrant for Access Management, Worldwide 2017,” Okta connects and protects employees of many of the world's largest enterprises and provides deep integrations to over 5,000 applications.

The AlienApp for Okta—automatically made available today in USM Anywhere at no additional cost to users—collects and analyzes data directly from the Okta API to detect user credential theft, abuse, policy violations, and other threats. The AlienApp for Okta joins a growing collection of AlienApps that extend the threat detection and security orchestration capabilities of USM Anywhere.

Let’s take a look at how you can leverage identity data from Okta to improve your overall security posture.

Connect USM Anywhere and Okta in Minutes

The AlienApp for Okta is available out of the box in USM Anywhere, with nothing to download or install. All it takes to enable the connection is the URL of your Okta instance and an API key, which can be easily generated from the Okta administration interface. Once connected, USM Anywhere begins to collect data from Okta. USM Anywhere enriches this data and summarizes it in an interactive dashboard, allowing you to easily monitor your Okta activities and to drill down on any data for deeper investigation.

Correlate Identity Data to Detect Potential Threats

Collecting event log information from Okta is a necessary first step, but if you’re like most security professionals with limited resources, you don’t have a lot of time for data exploration and threat hunting. This is where power of combining Okta and USM Anywhere really shines. With AlienVault’s best-in-class threat intelligence built in to USM Anywhere, you can take advantage of continuously updated correlation rules that the AlienVault Labs Security Research Team researches and writes for you, so that you can focus your attention on the events that, in context with other event data flowing into USM Anywhere, represent likely threats.

Let’s take a look at a few examples. Certain activities within Okta may appear innocuous, but can also be an indicator that a user account has been compromised. A user permission modification may be a normal part of your operating procedure, but it can also represent the first step of a malicious actor. These types of events are classified as environmental awareness alarms in USM Anywhere, alerting you to the need to validate that the update was expected and performed by an appropriate user.

Other activity related to identity and access is more overtly suspicious, and in these cases USM Anywhere will generate alarms with higher severity to focus immediate attention on the issue. For example, when a user successfully logs in after multiple authentication failures, this can signal a brute force attack on your authentication system that requires an immediate response. Or, authentication that appears normal may in fact be occurring from a host known to have performed malicious activities in the past, which clearly should trigger an investigation. This type of threat detection is impossible with log files alone, which is why pairing Okta data with the threat intelligence and advanced threat detection capabilities of USM Anywhere is so powerful.

Conclusion

As the leading independent provider of identity for the enterprise, Okta provides a critical security control point and collects valuable data on users, groups, apps and devices. But analyzing this data in isolation is not an effective strategy given today’s ever evolving threat landscape. The AlienApp for Okta makes it easy to incorporate identity data within USM Anywhere and make effective and affordable threat detection attainable for resource-constrained IT teams.

Try It for Yourself

The AlienApp for Okta is included for all USM Anywhere customers at no extra charge, and joins a growing family of AlienApps that includes Microsoft Office 365, Google G Suite, Cisco Umbrella, Carbon Black, and others. Launch the Interactive Online Demo now (no download or installation required) to see how AlienApps can help your organization work more efficiently to reduce the time between threat detection and response.

About the Author:Jeff Olen, AlienVaultJeff joined the AlienVault product management team in 2016, with a primary focus on the USM Anywhere platform. He has more than 15 years of experience managing award-winning software products in a variety of industries including security, education, legal and digital media.
Read more posts from Jeff Olen ›